Conjur environment variables - Kubernetes


I’m trying to use the following Conjur parameters for Kubernetes but I’m not sure if they are correct:

    elsewhere I saw a format like this:

    elsewhere I saw a format like this:

  • CONJUR_AUTHN_LOGIN=host/conjur/authn-k8s/sidecar/apps/sidecar-demo/sidecar-demo-app

What is correct?

Any explanation on this would be very helpful!

Hello @jhunt!

I really like the way the required parameters are broken out in the Secretless documentation, so I often refer back to that page to get these values.

In general, if your Conjur service is running in Kubernetes (and has an associated K8s service resource defined) then you can define:

env var description value
CONJUR_APPLIANCE_URL The URL of the Conjur service API endpoint reachable from within the cluster. For most Kubernetes clusters, the endpoint follows this pattern: https://[Conjur Service Name].[Conjur Namespace].svc.cluster.local/
CONJUR_AUTHN_URL This is the authentication endpoint for the specific authenticator your app should be using. If your authenticator name is $AUTHENTICATOR_NAME, then the value of this variable has the form: $CONJUR_APPLIANCE_URL/authn-k8s/$URLENCODED_AUTHENTICATOR_NAME where URLENCODED_AUTHENTICATOR_NAME is the url-encoded version of AUTHENTICATOR_NAME.
CONJUR_AUTHN_LOGIN The Conjur host identity your app should be authenticating as. The specific value will depend on how you’ve set up your authn-k8s policy; an example is if you’ve chosen to use service account-scoped identities, then a common configuration has the host set to host/conjur/authn-k8s/AUTHENTICATOR_NAME/apps/APP_NAMESPACE/service_account/APP_SERVICE_ACCOUNT where your app is defined in the conjur/authn-k8s/AUTHENTICATOR_NAME/apps/ policy branch and is going to be deployed to the APP_NAMESPACE K8s namespace with a service account named APP_SERVICE_ACCOUNT.

I hope this is helpful, but please feel free to follow up if you have further questions. For example, my answer for the CONJUR_AUTHN_LOGIN parameter can be made more specific if you share more details about the policy you’re using to define your Kubernetes authenticator.

Thank you @izgerij, that was very helpful!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.